Sponsored by..

Tuesday, 8 October 2013

I use VirusTotal quite a lot for looking at malware and determining how difficult it is to determine, and over time I've built up a fair amount of data on what performs well with the sort of malware that I throw at it.

This isn't a particularly scientific test, the malware I scan has a strong tendency to arrive by email rather than a being a drive-by download and the product settings in VirusTotal may not match typical settings when deployed.

The small print: Data is taken from the past six months and only products that have been active on VirusTotal for that whole time period are included. The scans are those that I took at the time, and they don't take into account that products would be updatesd probably catch them later (once they have infected your system). It also doesn't take into account that other components would be downloaded, some of which would subsequently be detected (again, once they have infected your system).Your mileage may vary. Other anti-virus comparisons are available.

So, which was best in this test? The full details are below, but the product that was clearly the best with detecting nastiness was Kaspersky with a very impressive 73% of samples detected. McAfee (58%), Malwarebytes (53%) and Emsisoft (50%) were the other products that detected half or more of the 62 samples.

The hall of shame is pretty shocking. ClamAV, ViRobot and Antiy-AVL detected no samples at all. TotalDefense and TheHacker detected just one sample (1.6%). Fifteen products detected 10% or less.

The Kaspersky result was surprisingly good, but McAfee's showing indicates that this product has improved a lot over recent years, leaving arch-rivals Symantec lagging with 58% detected compared to 34%. SUPERAntiSpyware has a surprisingly low detection rate of 3.2%, considering that this is a product I often use for difficult task. F-Secure, Sophos, Trend and Norman all had disappointing results. But the results for TotalDefense were shocking as this product is widely used within corporate customers, and is the endpoint security business spun out of CA.. for a paid product it seems to be essentially worthless.

The chart below shows the staggering difference in detection rates between the best and worst vendors.

In my opinion, your anti-virus product should always be the very last line of defence. But that last line should at least be effective and it may well be time to switch if your vendor is sitting near the bottom of this list.